Fleximus Blog

We are pleased to interview Oliver Pinter and Shawn Webb, the core developers of the HardenedBSD project.

Founded in 2014, the project aims to be a security enhanced FreeBSD, with modern technologies like exploit mitigation
known as PAX and ASLR but also introduces a bunch of new sysctls to the system.

Fleximus: Before we go into any details, please introduce yourself and then give us please a brief introduction of
your project.

Oliver/Shawn:

Fleximus: When did you come to FreeBSD and why did you decide to start this sub-project?

Shawn: I first learned about FreeBSD as a teenager. I was introduced to it from a group of old-school hackers.
I've fallen in love with it ever since. Oliver and I founded HardenedBSD in April of 2014. Both of us were interested
in implementing ASLR for FreeBSD and Oliver already had an existing patch. We created HardenedBSD to coordinate our
work on ASLR along with other exploit mitigations. We've been working on providing more exploit mitigation technologies
ever since starting HardenedBSD.

Oliver: First time I tried FreeBSD at 6.1-STABLE version, but compiling the whole system takes too much time
(KDE3 and OpenOffice), so I suspended the FreeBSD till 2008, when I got a new PC. This new PC was enough powerful
to compile the whole system in finite time, the other part of the change from Debian to FreeBSD was an infinite
number of XFS file system corruptions. I tried a lot of version from Linux - from 2.6.17 - 2.6.32 - but neither
works, so I switched finally to FreeBSD.

The HardenedBSD project was started based on my University thesis, which primarily focused the Intel S.M.A.P.
implementation to FreeBSD, and secondly on ASLR. One day I got an e-mail from pipacs (one member of the PaXTeam),
that someone else started working on FreeBSD hardening, and he gives me a link to Shawn's blog entry. At the first
times we worked on different repos, until I bored about the lot of merge / cherry-pick conflict, and I created
the HardenedBSD repo on github, this was at 2014 spring.

Fleximus: What is the longterm goal of HardenedBSD? Upstreaming the patches becoming an integral part of the
FreeBSD system seems to be a big one. We heard this could happen with FreeBSD 11.

Shawn: We want to provide the world with better security. FreeBSD is used quite heavily by some rather large
companies and communities. FreeBSD lags behind the rest of the world in exploit mitigation technologies. We want
to fill that gap.

When FreeBSD releases 11.0, we'll follow within a reasonable amount of time (we get to define "reasonable" as
"when it's ready") with our first official release.

Eventually, we want to start selling our own security appliances. We've started researching that already and have
deliciousness cooking in the oven.

We're adding more system-level hardening bits. I'm hardening syscalls and sysctls. Oliver's continuing work on
Intel SMAP and finishing up PaX NOEXEC. My next large task is revamping how our SEGVGUARD works, following grsec's
model more closely. Oliver will also start on PaX UDEREF.

We added a new member to our team. He goes by the handle "CTurt". He's focusing on finding vulnerabilities and
exploiting them in FreeBSD along with providing patches to secure those vulnerabilities.

Fleximus: Are there any key differences in the ASLR or PAX implementation compared to Linux or anything else
worth noting?

Shawn: We took PaX's implementation as our inspiration, even working with the PaX Team in ensuring ours is implemented properly.

Oliver: We followed mostly the PaX documentation, but currently we lack a little of them.

Fleximus: OpenBSD implemented ASLR in 2003 and finished it's implementation in 2008. Did you look at their source code to evaluate a migration of their work to FreeBSD?

Shawn: Even though OpenBSD is BSD-licensed, I've avoided looking at other implementations to prevent licensing concerns. That way, my code is my code. I don't have to worry about adding others to the copyright statement and/or using their copyright altogether.

Fleximus: We read that you wrote patches for FreeBSD-11 and already backported those patches back to FreeBSD 10-STABLE. What is the current status of the project?

Shawn: All work we deem stable we backport to 10-STABLE. We maintain package repos for both 11-CURRENT/amd64 and 10-STABLE/amd64.

Oliver: At the project's beginning the code was developed on 10-STABLE and forwardported to 11-CURRENT. Shawn
used 11-CURRENT and I used 10-STABLE, this is why we have so many merge conflicts. Primarily we focus with new
developments on 11-CURRENT, and if the given feature is enough stable, we cherry-pick them to 10-STABLE too.

Fleximus: Actually there's an ongoing poll if the linuxulator (Linux compat layer) shall be removed from the
sources or not. As we are aware the more features and the more compatibility code exists, the more attack surface
is also present.

Shawn: I will be doing a bit more research into this area. It's still undecided whether we'll remove the linux
compat layer. We need to wait till the linuxulator commits settle down and then do some additional work. As it stands
right now, COMPAT_FREEBSD32 has been removed from our custom kernel (the HARDENEDBSD amd64 kernel config). COMPAT_FREEBSD32
is required for the linuxulator to work. You'd have to compile your own kernel with that option added in to get the
linuxulator to work.

Fleximus: We are thanking you, Oliver and Shawn, for this interview. We got more insights and a better understanding
of the HardenedBSD project and are even more excited to see and test the results.

We encourage anyone who is interested in the project to help with contributions, your ideas and thoughts. The project also
accepts the usual donations, even bitcoins.

Shawn: Thank you for this great opportunity. We're having fun doing what we love. We hope to someday make this passion
sustainable as a full-time employ. It's because of the community that we're at where we are now. We look forward to giving back.

About the author

Felix Ehlers works for over 15 years in IT-Security. He began as a Software and SQL developer, then came quickly to Linux/FreeBSD server administration and finally to IT-Security. He loves to work with FreeBSD systems and open source software where feasible.